So, what do YOU guys do
about people trying to hack into your BBS? Just ignore them and let them have their fun? Or are there ways to stop them? I'm open to suggestions. Thanks.
entertaining, in a way, but it's also annoying. So, what do YOU guys do about people trying to hack into your BBS? Just ignore them and let them have their fun? Or are there ways to stop them? I'm open to suggestions.
change the port from 23 to some other port number.
TBH, nothing on the BBS side. Just let the bots try and fail at doing their thing.
I do a bit more on the home firewall side of things, however. There are various deny-lists and other tools that can prevent 'Known Bad' IPs from getting as far as your BBS, and also heuristically block repeated attempts.
So, what do YOU guys do about people trying to hack into your BBS? Just Al> ignore them and let them have their fun? Or are there ways to stop them? Al> I'm open to suggestions. Thanks.
--- Mystic BBS v1.12 A47 2021/12/25 (Windows/64)
My board doesn't get any real callers, but I get a constant barrage of people trying to break in. It's funny, really. This one guy keeps trying to use paswords like "root" or "admin" (the old standbys). I finally
left him (or her) a message on one of the login screens, telling them to give it up because there is nothing here except for a little server with
a bulletin board on it, and they persist. I realize that most of these attempts are from bots, but I have had a few humans too. This is all
very entertaining, in a way, but it's also annoying. So, what do YOU
guys do about people trying to hack into your BBS? Just ignore them and let them have their fun? Or are there ways to stop them? I'm open to suggestions. Thanks.
I use this powershell script to block out whole countries and regions which really calms down (but doesn't eliminate) the noise: https://bbs.lc/oHfO7
I also block out Digital Ocean & Linode's IP ranges:
I have my Router blocking countries now, I have about 7 or 8 of them,
the usual suspects, North Korea, Russia, China, and a few other
Communist states.. It works well for me.. My Mystic which is on port 23
I haven't thought of actually blocking countries at the router. I've been letting Mystic take care of that. But if it gets worse, I'll try that. Thanks.
Alonzo wrote to All <=-
My board doesn't get any real callers, but I get a constant barrage of people trying to break in. It's funny, really. This one guy keeps
trying to use paswords like "root" or "admin" (the old standbys). I finally left him (or her) a message on one of the login screens,
telling them to give it up because there is nothing here except for a little server with a bulletin board on it, and they persist. I realize
My board doesn't get any real callers, but I get a constant barrage of people trying to break in. It's funny, really. This one guy keeps trying to use paswords like "root" or "admin" (the old standbys). I finally leftYou should make those accounts! root and admin and when they do manage a log-in, have the accounts suspended so that they are immediatly disconnected, hahaha!
Back in the day, I had a friend who hosted CHRIS-CO BBS (his name is Chris he wrote a script for his VBBS6.14/VAdvanced 2.10 board that new users had input the phone number they were calling from, and the board would disconn them and then call that number and somehow (i don't remember the details)
Re: hackers
By: Mewcenary to Alonzo on Sat Jan 07 2023 05:57 pm
Back in the day, I had a friend who hosted CHRIS-CO BBS (his name is Chris) and he wrote a script for his VBBS6.14/VAdvanced 2.10 board that new users had to input the phone number they were calling from, and the board would disconnect them and then call that number and somehow (i
don't remember the details) verify that it was a legit caller. I think
you could have your dialer software open and answer an incoming call? I really don't remember I wasn't even driving back then I was a kiddo. I thought that was real neat though! He had a number of scripts written,
and even wrote his own net "CHRIS-NET" that all the local boards were apart of. I don't know what ever happened to that dood. His handle was "Computer Whiz".
Taphophile
The phone modems of that period were used to communicate in 2 directions. Obviously, you could get incoming to your BBS. But you used them when calling to another BBS. This "feature" of verifying a user was actually quite common. Look here
TBH, nothing on the BBS side. Just let the bots try and fail at doing their thing.
I do a bit more on the home firewall side of things, however. There are various deny-lists and other tools that can prevent 'Known Bad' IPs from getting as far as your BBS, and also heuristically block repeated attempts.
Defense in depth also means taking regular full backups, so in the event of a successful hack, I can restore to something Known Good.
Back in the day, I had a friend who hosted CHRIS-CO BBS (his name is Chris) and he wrote a script for his VBBS6.14/VAdvanced 2.10 board that new users had to input the phone number they were calling from, and the board would disconnect them and then call that number and somehow (i
don't remember the details) verify that it was a legit caller. I think
you could have your dialer software open and answer an incoming call? I really don't remember I wasn't even driving back then I was a kiddo. I thought that was real neat though! He had a number of scripts written,
and even wrote his own net "CHRIS-NET" that all the local boards were apart of. I don't know what ever happened to that dood. His handle was "Computer Whiz".
Chris) and he wrote a script for his VBBS6.14/VAdvanced 2.10 board th new users had to input the phone number they were calling from, and t board would disconnect them and then call that number and somehow (i don't remember the details) verify that it was a legit caller. I thin
My board doesn't get any real callers, but I get a constant barrage of people trying to break in.
Yeah I did the same thing with a board I had back in the 90s. I
eventually quit using it because most people ignored it. With
Telnet though, it's complicated. What would you verify? You can't
verify an IP because people just use VPNs, so IP addresses are
meaningless. And if people are just trying to brak your BBS,
they never register anyway, so there's no personal info.
I have my Router blocking countries now, I have about 7 or 8 of them, the usual suspects, North Korea, Russia, China, and a few other Communist states.. It works well for me.. My Mystic which is on port
I haven't thought of actually blocking countries at the router. I've been letting Mystic take care of that. But if it gets worse, I'll try that. Thanks.
Yeah, I am thinking about limiting access to ANSI-only. I am getting so sick of these bots and clueless people. It's really taking the fun out
of it.
On 1/10/23 08:34, Alonzo wrote:
Yeah I did the same thing with a board I had back in the 90s. I
eventually quit using it because most people ignored it. With
Telnet though, it's complicated. What would you verify? You can't
verify an IP because people just use VPNs, so IP addresses are
meaningless. And if people are just trying to brak your BBS,
they never register anyway, so there's no personal info.
I've thought about pre-verifying email addresses in order to login. I changed my telnet login to use "email" first, so new users it's the
first thing, but haven't coded up the preverify logic yet.
Also considering adding SMS verification as an alternative to email verification.
Tracker1 wrote (2023-01-11):
A great way to discourage users to sign up. As a user, how do I know
that your BBS is not a honeypot for collecting email addresses and phone
Yeah, I am thinking about limiting access to ANSI-only. I am getting sick of these bots and clueless people. It's really taking the fun ou of it.
Yeah, an ANSI restriction may limit SOME bots. However, even many regular linux terms wil return they can render ANSI to that check.
MaNDaRaX
After I installed that press Esc 2x thing I haven't had any issues. I
I don't understand why you need a login at all right after the connection is established. Why not have an open BBS were users are free to surf the boards And if they want to write messages or read restricted areas they have to
I don't understand why you need a login at all right after the
connection is established. Why not have an open BBS were users are
free to surf the boards And if they want to write messages or read
restricted areas they have to
Did you ever run a BBS?
You cannot connect without a user account.
You could make a stupid guest account, but those are useless.
But what I wanted to express: why should I hand out my email address and phone number, before I can see anything of the BBS? Are you willing to
do SMS verification for every website you visit? A stupid guest account
is not at all useless.
You could make a stupid guest account, but those are useless.
I've used guest accounts on any board that will let me to see if it's worth signing up. Usually if I'm just out hunting for a file or
something it works great.
Yeah, I am thinking about limiting access to ANSI-only. I am getting so sick of these bots and clueless people. It's really taking the fun out
of it.
whu guest accounts ? Use a website and tell about your BBS. What users
On 15 Jan 2023, Oli said the following...
But what I wanted to express: why should I hand out my email
address and phone number, before I can see anything of the BBS? Are
you willing to do SMS verification for every website you visit? A
stupid guest account is not at all useless.
Welllll. A) you use the email addy for a password reset
B) users need accounts because EVERYTHING on the bbs centers around an account.
Oneliners, message bases, doors ext.
C) if you didn't have user accounts it would basically be a website.
On 16 Jan 2023, Goose said the following...
whu guest accounts ? Use a website and tell about your BBS. What
users
Just go to ftelnet.ca and make a link and put it on your website or email it to people.. like this
Welllll. A) you use the email addy for a password reset
How does that work? Is there a password reset option at login?
The BBS didn't tell me for what the email is needed and used. Maybe it's displayed for everyone to see? How do I know. I only know that many
sysops give a shit about privacy (laws).
B) users need accounts because EVERYTHING on the bbs centers around a account.
Oneliners, message bases, doors ext.
And how do I know what is available in the BBS before I register?
C) if you didn't have user accounts it would basically be a website.
There are websites with and without user accounts. Web is just another interface. And that is exactly my point. Make BBSs as open and easily accessible as a website.
Kidd wrote (2023-01-16):
On 16 Jan 2023, Goose said the following...
whu guest accounts ? Use a website and tell about your BBS. What
users
Just go to ftelnet.ca and make a link and put it on your website o email it to people.. like this
So we need the web and man-in-the-middle websites to use a BBS?
.... and emails
.... and SMS verification
.... and 128 GB of RAM for Windows 15 and Google Chrome 451 to run Gmail properly
There are websites with and without user accounts. Web is just another interface. And that is exactly my point. Make BBSs as open and easily accessible as a website.
Welllll. A) you use the email addy for a password reset
How does that work? Is there a password reset option at login?
accessible as a website.
I sort of wish we lived in a world in which gates and fences were not
But what I wanted to express: why should I hand out my email address and phone number, before I can see anything of the BBS? Are you willing to do SMS verification for every website you visit? A stupid guest account is not at all useless.I agree in this sense. Back in the days of yesteryear when BBS's required names, phone numbers and more personalizd information, being doxxed wasn't nearly the threat that it is today. With just a little bit of information you can literally determine the color of someone's front door in just a few minutes. The login sequence could be generally updated for todays standards, but will it ever be? We'd be hard pressed to see kind of update like that across boards, unless one currently active BBS software does something like that, and you never call another software board or lesser bit board again. Best bet is to just give out fake or incorrect information. I don't think our friendly local Sysops are out to destroy our lives! Not to mention it is a cakewalk to save your login information in your telnet client and just ALT your way right in. It's painless to login.
buy, yo yo yo!! the pirate way of life for me!!
·-──╖ Kídd ╓──·-· ·
╙ Wícked ╙
buy, yo yo yo!! the pirate way of life for me!!
·-──╖ Kídd ╓──·-· ·
╙ Wícked ╙
I believe it Yo, Ho, Ho, Its a Pirates life for me
And not to beat a dead horse on this subject. But if bbs's were
totally open and no logon credentials, You would have to have 1000+
nodes to account for the bots taking up nodes.
And if privacy is your
issue. FREE email account that is not linked to you. FAKE real name. VPN which if you were smart you would already be using. FREE SMS via TEXTr
to validate a number to gain access. There, now yow can try before you buy, yo yo yo!! the pirate way of life for me!!
For that matter, node limits and timeouts are an anachronism.
I suspect they survive in the "modern" BBS era simply because
that's how things have always been done.
For that matter, node limits and timeouts are an anachronism.
I suspect they survive in the "modern" BBS era simply because
that's how things have always been done.
that and multinode doors would be interesting to set up without a concept of nodes. (i'm thinking of the ones that require config files for each node)
For that matter, node limits and timeouts are an anachronism.
I suspect they survive in the "modern" BBS era simply because
that's how things have always been done.
I think it's ok to have a concept of a "node", it's just
the artificially low limits on them that I balk at in 2023.
A Raspberry Pi is absurdly more powerful than what people
were running multinode BBSes on back in the 90s, so why do
For that matter, node limits and timeouts are an anachronism.
I suspect they survive in the "modern" BBS era simply because
that's how things have always been done.
Timeout on my board is 3 minutes ... has been since 1993. Why would I want someone to just tie up one of my 4 telnet nodes just sitting there all day. Are all 4 nodes going to be filled at one time in 2023, probably not. But still, I don't want to come home to see some fool
that has respect for other people's stuff to just "sit there and
leave". If that was the case, there would be no /G goodbye cmds.
Not like it's hard to telnet back in within seconds and get back on.
Not like you'll have to wait for a modem to negoiate or get a busy
signal anymore.
I just don't understand people. You're not only wasting MY resources by idling there, but also yours. Granted it's a tiny amount, but still a waste on resources and bandwidth.
I think it's ok to have a concept of a "node", it's just
the artificially low limits on them that I balk at in 2023.
A Raspberry Pi is absurdly more powerful than what people
were running multinode BBSes on back in the 90s, so why do
When you have 400+ door games, and it takes a million config files to setup doors for each node because each node has to have a drop file, there's one example.
Secondly ... After you get 4 or 5 people on one
time ... things start to chug along.
Yeah, an ANSI restriction may limit SOME bots. However, even many regular linux terms wil return they can render ANSI to that check.
Yeah, an ANSI restriction may limit SOME bots. However, even many
regular linux terms wil return they can render ANSI to that check.
Limiting my BBS to ANSI-only has reduced the number of people trying to break in by about 90%. The bots get stuck because you are forced to type either a 1 or a 0 and they can't figure it out, and the humans are too
lazy to pick one.
... A program is used to turn data into error messages.
--- Mystic BBS v1.12 A47 2021/12/25 (Windows/64)
* Origin: The Unmarked Van (21:1/130)
Alonzo wrote to MaNDaRaX <=-
Limiting my BBS to ANSI-only has reduced the number of people trying to break in by about 90%. The bots get stuck because you are forced to
type either a 1 or a 0 and they can't figure it out, and the humans are too lazy to pick one.
GOM wrote to Alonzo <=-
Why you got so many people who want hack into a bbs ? It make no sense
to me ?!
GOM wrote to Alonzo <=-
Why you got so many people who want hack into a bbs ? It make no sense
to me ?!
They're looking for exploitable routers and IOT devices, most likely.
... Contact is inevitable, leading to information bleed.
--- MultiMail/Win v0.52
* Origin: realitycheckBBS.org -- information is power. (21:4/122)
Why you got so many people who want hack into a bbs ? It make no sense
change the port from 23 to some other port number.
Good idea. I will give that a try.
... Thats not a bug its an undocumented feature
--- Mystic BBS v1.12 A47 2021/12/25 (Windows/64)
* Origin: The Unmarked Van (21:1/130)
Yeah I am thinking about limiting access to ANSI-only. I am getting so sick of these bots and clueless people. Its really taking the fun out
of it.
ANSI only wont help entering A = A for a user in either ASCII or ANSI mode. S>I wonder if those clueless people are people. Looks more like BOTS to me. S>Change to a port higher than ..... 2000 - check the TCP and UDP port numbers list on wpedia for reserved ports.
GTx!
sPI!
--- Mystic BBS v1.12 A48 (Linux/64)
* Origin: -.sNd!gRDn.- a box full of Snd&Demo Related filez! (21:1/116)
I haven't thought of actually blocking countries at the router. I've been letting Mystic take care of that. But if it gets worse, I'll try that. Thanks.
Sysop: | digital man |
---|---|
Location: | Riverside County, California |
Users: | 1,064 |
Nodes: | 17 (1 / 16) |
Uptime: | 19:00:33 |
Calls: | 501,325 |
Calls today: | 4 |
Files: | 109,413 |
D/L today: |
2,650 files (341M bytes) |
Messages: | 302,020 |